Semantic Equivalences and the Verification of Infinite-State Systems Richard Mayr Department of Computer Science Albert-Ludwigs-University Freiburg Germany Verification of Infinite-State Systems 1 c 2004 Richard Mayr
Formal Verification Proving the correctness of a given hardware- or software system w.r.t. specification, or finding the errors in it. a given Specification can be described by Specification languages Temporal logic formulae Abstract prototype systems The goal: If the system is correct, then prove it (automatically or semi-automatically). If the system is not correct then explain why. Ideally by a short counterexample. Verification of Infinite-State Systems 2 c 2004 Richard Mayr
Verification Methods Semiautomatic methods Manual or semiautomatic abstraction techniques. Reduction to problems which automatic methods can handle. Theorem provers (e.g., Isabelle, PVS). Automatic methods Reachability analysis Temporal logics and model checking (e.g., SPIN, SMV). Semantic equivalence checking Semantic preorder checking (i.e., A B, B implements A). Simulation preorder Trace preorder Verification of Infinite-State Systems 3 c 2004 Richard Mayr
Formal Verification Methods Finite-state systems: Theory relatively well understood. Problems with handling very large state spaces. Techniques used: BDDs minimization (preserving interesting properties) symmetry reduction PO-reduction search heuristics Many software systems are infinite-state. How to handle them? Verification of Infinite-State Systems 4 c 2004 Richard Mayr
What makes systems infinite? Unbounded recursion: Abstract models: pushdown automata, context-free processes Process creation and concurrency: Abstract models: Petri nets, Basic Parallel Processes, PA-processes Counters: Abstract models: counter machines (reversal-bounded, flat, 1-counter) Buffers: Abstract models: FIFO-channel systems, Lossy FIFO-channel systems Real time: Abstract models: Timed automata. Unbounded data structures: Abstract models: Extended automata Verification of Infinite-State Systems 5 c 2004 Richard Mayr
Model Checking and Related Methods Reachability analysis: Symbolic representations of (infinite) sets of states. Algorithms for computing Pre (set of predecessors) of a given set of states Post (set of successors) of a given set of states = Useful for checking safety-properties. Model checking with branching-time temporal logics: EF, EG, CTL, CTL, modal µ-calculus. Model checking with linear-time temporal logics: LTL, linear-time µ-calculus. Semantic equivalence/preorder checking of abstract specification and more refined model. E.g., simulation, bisimulation. Verification of Infinite-State Systems 6 c 2004 Richard Mayr
Highlights of my own work Process Rewrite Systems [Mayr, 1997]. A unified formalism for describing many classes of systems by term rewriting. Strictly more general than Petri nets and pushdown automata. Decidable reachability problem. Temporal logic EF Decidability of model checking for process classes PA and PAD [Mayr, 1997,1998]. Construction of characteristic EF-formulae for finite-state systems w.r.t. strong and weak bisimulation [Jančar, Kučera, Mayr, 1998]. Undecidability of boundedness for lossy counter machines [Mayr, 2000]. Very general undecidability result with consequences for lossy FIFO-channel systems, transfer Petri nets, parameterized systems, etc. Verification of Infinite-State Systems 7 c 2004 Richard Mayr
More Highlights Undecidability of weak bisimulation equivalence for 1-counter processes [Mayr, 2003]. Weak bisimilarity undecidable for Petri nets with just 1 unbounded place. Thus undecidable for almost all classes of infinite-state systems. Polynomial time algorithm for checking strong/weak bisimulation equivalence between context-free processes and finite-state systems [Kučera, Mayr, 1999]. Works by construction of the bisimulation-base, a compact representation of the whole infinite equivalence relation. Why simulation is harder than bisimulation [Kučera, Mayr, 2002]. Applied verification: A scalable automatic method for analyzing buffer overflow conditions in UML RT and Promela models. IBOC-tool. Verification of Infinite-State Systems 8 c 2004 Richard Mayr
Semantic Equivalences Consider systems/states as equivalent if they have the same behavior/properties. What is the same behavior? Notions of semantic equivalence. Does implementation A really implement specification B? Notions of semantic preorder. Central notions: Simulation and Bisimulation Definition Game theoretic characterization Logical characterization Verification of Infinite-State Systems 9 c 2004 Richard Mayr
General Model Labeled transition graph: (V, a, Act) V Act a V Act V Set of vertices. (Vertices interpreted as states.) Set of atomic actions. Directed edges, labeled with atomic actions. Consider semantic equivalences R V V in a single transition graph. States of different graphs can be compared by putting the graphs side-by-side and considering them as a single graph. Verification of Infinite-State Systems 10 c 2004 Richard Mayr
Semantic Equivalences: Definition Simulation: A relation R V V is a simulation if whenever (X, Y ) R then for each a Act: X with X a X Y with Y a Y and (X, Y ) R. Simulation preorder is the largest simulation relation, denoted by. Simulation equivalence is defined as Bisimulation: A relation R is a bisimulation iff it is a symmetric simulation. The largest bisimulation is an equivalence, denoted by. Verification of Infinite-State Systems 11 c 2004 Richard Mayr
Simulation Games Simulation game between two players: Attacker and Defender. Initial configuration: Pair of states (X, Y ). Attacker wants to show X Y. Defender wants to show X Y. In every round of the game: Attacker makes a move on the left side, e.g., X a X. Defender must respond by a move on the right side with the same action, e.g., Y a Y. The new configuration is (X, Y ). Next round. If one player cannot move then the other player wins. The defender wins every infinite game. Theorem: X Y iff the defender has a winning strategy. Verification of Infinite-State Systems 12 c 2004 Richard Mayr
Bisimulation Games Bisimulation game between two players: Attacker and Defender. Initial configuration (X, Y ). Attacker wants to show X Y. Defender wants to show X Y. In every round of the game: Attacker chooses a side (either X or Y ) and makes a move (e.g., X a X or Y a Y ). Defender must respond by a move on the other side with the same action (e.g., Y a Y or X a X ). The new configuration is (X, Y ). If one player cannot move then the other player wins. The defender wins every infinite game. Theorem: X Y iff the defender has a winning strategy. Verification of Infinite-State Systems 13 c 2004 Richard Mayr
Differences between Simulation and Bisimulation X Y a a a a b c b c b c X Y, but X Y. Verification of Infinite-State Systems 14 c 2004 Richard Mayr
Weak Simulation and Weak Bisimulation Need to abstract from internal actions in system models. E.g., prove the semantic equivalence of a more detailed implementation and an abstract specification. Weak simulation and weak bisimulation abstract from internal τ-actions. Defined with long moves τ a, τ instead of the normal internal actions before and after every visible action. a. Arbitrarily many On finite-state systems weak equivalences/preorders can be reduced to strong ones by computing the transitive closure w.r.t. τ-actions. On infinite-state systems this is not effectively possible in general. Verification of Infinite-State Systems 15 c 2004 Richard Mayr
(but not vice-versa). Connections to Temporal Logics On finite labeled transition graphs deciding,, is polynomial. For image-finite graphs is the equivalence induced by branching-time logics. For every branching-time temporal logic L with (e.g., L = CTL) we have Hennessy-Milner Logic L action-based µ-calculus X Y iff X,Y cannot be distinguished in L Every finite labeled transition graph can be described up-to (strong and weak) bisimulation equivalence in the temporal logic EF (a fragment of CTL) [Jančar, Kučera, Mayr]. Verification of Infinite-State Systems 16 c 2004 Richard Mayr
General Trends 1. On infinite-state systems, weak equivalences are computationally harder than strong ones. 2. Simulation is computationally harder than bisimulation on almost all natural classes of systems. Verification of Infinite-State Systems 17 c 2004 Richard Mayr
Decidability Results Stronger and stronger positive decidability results for strong bisimulation: Strong bisimilarity decidable for 1-counter machines [Jančar]. Strong bisimilarity decidable for normed pushdown automata [Stirling]. Strong bisimilarity decidable for general pushdown automata [Sénizergues]. Stronger and stronger negative decidability results for weak bisimulation: Weak bisimilarity undecidable for general pushdown automata [Srba]. Weak bisimilarity undecidable for normed pushdown automata [Srba]. Weak bisimilarity undecidable for normed 1-counter machines; even for normed 1-counter nets (Petri nets with only 1 unbounded place) [Mayr]. Verification of Infinite-State Systems 18 c 2004 Richard Mayr
Simulation vs. Bisimulation Complexity Simulation Bisimulation normed PA-normed PA undecidable decidable PDA-PDA undecidable decidable, EXPTIME-hard PDA-FS EXPTIME-complete PSPACE-complete BPA-FS EXPTIME-complete polynomial Verification of Infinite-State Systems 19 c 2004 Richard Mayr
Why is simulation harder than bisimulation? One can reduce bisimulation checking to simulation checking (in polynomial time) for any finitely generated class of transition systems that satisfies one of these properties [Kučera, Mayr, 2002]. The systems can test for non-enabledness of actions (e.g., test for zero). Satisfied, e.g., for pushdown automata. The class is closed under parallel composition of processes and synchronization (over the atomic actions). Satisfied, e.g., for Petri nets. Most classes of systems satisfy one of these requirements. checking must be at least as hard as bisimulation checking. Thus, simulation Verification of Infinite-State Systems 20 c 2004 Richard Mayr
Bisim. Sim.: Method 1 Given two labeled transition graphs S and T. Construct modified transition graphs S and T with the property: S T S T How? Encode the bisimulation game between S and T in a simulation game between S and T. Remark: One can easily reduce simulation preorder to simulation equivalence. Given systems S, T. Define S, T by S a S, S a T, T a T. Then S T S T Verification of Infinite-State Systems 21 c 2004 Richard Mayr
The Power of the Defender in Simulation Games How can the defender in the simulation game force the attacker to something? He threatens to become universal, i.e, to go to a universal state. (At a universal state every action is enabled and stays enabled forever, i.e., Act true.) a a,b,c c a a b a,b,c b c b c Verification of Infinite-State Systems 22 c 2004 Richard Mayr
The Power of the Defender in Bisimulation Games How can the defender in the bisim. game force the attacker to do something? He threatens to make the two processes equal. A technique by Jančar, Srba. (Here slightly improved): X X a a a a a Y 1 2 2 Y 1 Y 2 1 1 2 Z.1 Z.2 Z.1 Z.2 Verification of Infinite-State Systems 23 c 2004 Richard Mayr
Bisim. Game Sim. Game 1. Case (simple): If in the bisimulation game between S and T the attacker moves on the left side, i.e., S a S i, then the defender moves on the right side T a T j. Directly encoded in the simulation game between S and T. In simulation games the attacker always moves on the left side. One round of the bisimulation game encoded in one round of the simulation game. Verification of Infinite-State Systems 24 c 2004 Richard Mayr
Bisim. Game Sim. Game (cont.) 2. Case (more complex): Assume that in the bisimulation game between S and T the attacker moves on the right side, i.e., T a T i and the defender responds by S a S j. Encoding in the simulation game: Attacker moves S a i Ŝ (chooses i, demands move to T i on right side) Defender responds T a i T i,j (encodes i, chooses j) Attacker moves Ŝ a j S j (must make this move; otherwise defender wins) a j Defender moves T i,j T i c (All other moves lead to a universal state, T i,j U for all c aj.) One round of the bisimulation game encoded in two rounds of the simulation game. Verification of Infinite-State Systems 25 c 2004 Richard Mayr
Requirements for the Construction 1. Problem: The attacker (moving on the left side in S) cannot know which actions are currently enabled on the right side (in T ). What happens if the attacker demands something impossible, i.e., a move in T that is not enabled? The defender notices this and goes to a universal state (and thus wins the game). This response must be possible only if the required move is really not enabled. Analogously, if the defender demands an impossible move on the attacker s side, then the attacker can win by performing a special action. Conclusion: A test for enabledness of actions is required. pushdown automata, but not for Petri nets. Possible, e.g., for Verification of Infinite-State Systems 26 c 2004 Richard Mayr
Formal Def. of Construction 1. Given two labeled transition graphs S and T (with initial states s 0, t 0 ). Define new systems S := Attacker-extension(S) T := Defender-extension(T ) with initial states s 0, t 0. and obtain S T S T Verification of Infinite-State Systems 27 c 2004 Richard Mayr
i r[a i, j, 1] r[a i, j, d] λ j i a i s t δ 1 i δ d i a 1 a k a 1 a k a1 a k a 1 a k s(a 1, 1) s(a 1, n 1 ) s(a k, 1) s(a k, n k ) t(a 1, 1) t(a 1, m 1 ) t(a k, 1) t(a k, m k ) t(a i, j) t(a i, j) succ(s, a 1 ) succ(s, a k ) succ(t, a 1 ) succ(t, a k ) Λ s Θ t γ Act a 1 δ 1 1 δ n 1 1 a 1 a k δ 1 k a k δ n k k s(a 1, 1) s(a 1, n 1 ) s(a k, 1) s(a k, n k ) λ j i λ j i r[a i, j, 1] r[a i, j, d] δ d i a i t(a i, j) δ 1 i t(a i, j) succ(s, a 1 ) succ(s, a k ) Act {δ 1 i } Act {δ d i } Act Act Verification of Infinite-State Systems 28 c 2004 Richard Mayr
Bisim. Sim.: Method 2 Given two labeled transition graphs S and T. Construct new transition graphs S := A comp(s, T ) and T := D comp(s, T ) with the property: S T S T Roughly speaking A comp(s, T ) := S T D comp(s, T ) := modified-sync.(s, T ) One round in the bisimulation game between S and T is emulated by two rounds in the simulation game between S and T. Intuition: Both S and T contain copies of both S and T. They always know which moves are possible in S and T. The construction enforces that these copies are kept consistent. Verification of Infinite-State Systems 29 c 2004 Richard Mayr
Bisim. Sim.: Method 2 (cont.) One round in the bisimulation game between S amd T : Attacker moves S a S i Defender replies T a T j This is emulated in two rounds in the simulation game between S and T. Attacker moves S = A comp(s, T ) x i A comp(s i, T ) Defender replies T = D comp(s, T ) x i D comp(s i, ˆT j ) Attacker moves A comp(s i, T ) x j A comp(s i, T j ) Defender replies D comp(s i, ˆT j ) x j D comp(s i, T j ) Conclusion: No test for enabledness of actions required, but parallel comp. and sync. are needed. Works, e.g., for Petri nets and subclasses, but not for PDA. Verification of Infinite-State Systems 30 c 2004 Richard Mayr
s t s(a a 1, 1) 1 s(a 1, n a 1) k s(a s(a 1, 1) lacements k, 1) s(a s(a 1, n k, 1) k ) s(a t(a k, 1) 1, 1) s s(a t(a k, n 1, m k ) t 1) t(a t(a 1, a1) k, 1) 1 t(a t(a 1, ma k, 1) k s(a k ) t(a k 1,, 1) t(a s(a k 1,, mn k 1) ) s(a k, 1) s(a k, n k ) t(a 1, 1) t(a δ1 1 1, m 1) δ n 1 t(a 1 k, 1) t(a δk 1 k, m k ) δ n k k s Formally: Method 2 a 1 a k a 1 a k a 1 a k a 1 a k s λ 1 1 s(a 1, 1) λ m 1t s(a 1, n 1) s(a 1, 11) s(a k, 1) s(a k, n k ) t(a 1, 1) t(a 1, m 1) t(a k, 1) t(a k, m k ) s(a λ 1 1, n 1) k λ m k s(a k k, 1) succ(s, a 1) succ(s, a k ) succ(t, a 1) succ(t, a k ) s(a k, n k ) t(a 1, 1) s t t(a 1, m 1) t(a k, 1) t(a k, m k ) ucc(s, a 1) δ1 1 δ n 1 1 δk 1 δ n k k λ 1 1 λ m 1 ucc(s, a 1 k ) λ 1 k λ m k k ucc(t, a 1) s(a 1, 1) s(a 1, n 1) s(a k, 1) s(a k, n k ) t(a 1, 1) t(a 1, m 1) t(a k, 1) t(a k, m k ) ucc(t, a k ) δ 1 1 δ n 1 1 δ 1 k δ n k k λ 1 1 λ m 1 1 λ 1 k λ m k k succ(s, a 1) succ(s, a k ) succ(t, a 1) succ(t, a k ) (s(a i, 1), t(a i, l)) δ 1 i (s(a i, n i), t(a i, l)) δ n i i (s(a i, 1), t(a i, l)) (s(a i, n i), t(a i, l)) t Act Act {δ 1 i } Act {δ n i i } Act λ l i λ l i (s, t) δ j i δ j i Act Act {λ 1 i } Act {λ m i i } (s(a i, j), t(a i, 1)) (s(a i, j), t(a i, m i)) Act λ 1 i λ m i i (s(a i, j), t(a i, 1)) (s(a i, j), t(a i, m i)) Fig. 2. States s and t of S and T, then the A-composition of S and T, and finally the D-composition of S and T. Verification of Infinite-State Systems 31 c 2004 Richard Mayr
Applied Verification Development of the practical tool IBOC (Incomplete Boundedness Checker). Analyzes systems described in UML RT and PROMELA. Solves questions for systems with asynchronous communication via buffers. Can one get a buffer overflow? Are the reachable buffer lengths bounded? If yes, then by what constant? Automatic incomplete boundedness check for communication buffers between capsules/processes, without exploring the state space. Gives answers YES or NOT PROVEN hints for abstraction refinement. Works by static analysis, without exploring the reachable state-space. Can derive upper bounds on reachable communication buffer content lengths in most cases. Verification of Infinite-State Systems 32 c 2004 Richard Mayr
Applied Verification (cont.) Technique 1: Abstract interpretation and overapproximation. Abstraction preserves Simulation preorder. Upper bounds on reachable channel contents. Technique 2: Static analysis for tracking ranges of crucial variables. Analyzing possible combinations of the effects of cycles in the control-flow graph. Linear programming. Scalable: Works in polynomial time on average-case UML RT/PROMELA models. (Exponential in the worst case). Approach can be generalized to related problems, e.g., memory allocation (memory leaks!), dynamic process creation/destruction, etc. Verification of Infinite-State Systems 33 c 2004 Richard Mayr
Case study: UML RT PBX Private Branch Exchange, a telephone switching system. System defined in UML RT 29 capsules 736 control states 57 communication buffers 308 different message types 10 40 control-state combinations alone, not even counting buffer contents. Run times of the IBOC-tool (on 1 GHz Pentium III): 30 seconds to prove boundedness of the whole system. 1 minute to compute upper bounds on the lengths of all 57 communication buffers. Paper to appear in TACAS 2004. Verification of Infinite-State Systems 34 c 2004 Richard Mayr
Case Study: PROMELA CORBA General Inter-ORB Protocol (GIOP). System model defined in PROMELA. 5 processes 135 control states 11 communication channels 108 different message types IBOC proved that there are only two causes of unboundedness: Flooding by user requests. Unboundedly many register messages for object migrations. If these two causes are removed then IBOC proves boundedness and computes upper bounds in about 10 seconds (on 1 GHz Pentium III). Paper to appear in SPIN 2004. Verification of Infinite-State Systems 35 c 2004 Richard Mayr
Conclusion Automated verification of infinite-state systems is harder than for finite-state ones, but feasible. It requires careful analysis of the problem complexities in all input parameters, and the combination of many techniques, e.g., Abstraction Semantic equivalences State-space reduction techniques Symbolic representation of infinite sets and relations Over- and under-approximation Acceleration Verification of Infinite-State Systems 36 c 2004 Richard Mayr